Update on executions

byt3n33dl3 · Jul 15, 2024 · 252a3f2 · 252a3f2
1 parent 5c109d2
commit 252a3f2
Show file tree

Hide file tree

Showing 79 changed files with 29,630 additions and 0 deletions.
diff --git a/cme/execute-pe/beacon.h b/cme/execute-pe/beacon.h
@@ -0,0 +1,69 @@
+/*
+ * Beacon Object Files (BOF)
+ * -------------------------
+ * A Beacon Object File is a light-weight post exploitation tool that runs
+ * with Beacon's inline-execute command.
+ *
+ * Additional BOF resources are available here:
+ *   - https://github.com/Cobalt-Strike/bof_template
+ *
+ * Cobalt Strike 4.x
+ * ChangeLog:
+ *    1/25/2022: updated for 4.5
+ */
+
+/* data API */
+typedef struct {
+	char * original; /* the original buffer [so we can free it] */
+	char * buffer;   /* current pointer into our buffer */
+	int    length;   /* remaining length of data */
+	int    size;     /* total size of this buffer */
+} datap;
+
+DECLSPEC_IMPORT void    BeaconDataParse(datap * parser, char * buffer, int size);
+DECLSPEC_IMPORT char *  BeaconDataPtr(datap * parser, int size);
+DECLSPEC_IMPORT int     BeaconDataInt(datap * parser);
+DECLSPEC_IMPORT short   BeaconDataShort(datap * parser);
+DECLSPEC_IMPORT int     BeaconDataLength(datap * parser);
+DECLSPEC_IMPORT char *  BeaconDataExtract(datap * parser, int * size);
+
+/* format API */
+typedef struct {
+	char * original; /* the original buffer [so we can free it] */
+	char * buffer;   /* current pointer into our buffer */
+	int    length;   /* remaining length of data */
+	int    size;     /* total size of this buffer */
+} formatp;
+
+DECLSPEC_IMPORT void    BeaconFormatAlloc(formatp * format, int maxsz);
+DECLSPEC_IMPORT void    BeaconFormatReset(formatp * format);
+DECLSPEC_IMPORT void    BeaconFormatAppend(formatp * format, char * text, int len);
+DECLSPEC_IMPORT void    BeaconFormatPrintf(formatp * format, char * fmt, ...);
+DECLSPEC_IMPORT char *  BeaconFormatToString(formatp * format, int * size);
+DECLSPEC_IMPORT void    BeaconFormatFree(formatp * format);
+DECLSPEC_IMPORT void    BeaconFormatInt(formatp * format, int value);
+
+/* Output Functions */
+#define CALLBACK_OUTPUT      0x0
+#define CALLBACK_OUTPUT_OEM  0x1e
+#define CALLBACK_OUTPUT_UTF8 0x20
+#define CALLBACK_ERROR       0x0d
+
+DECLSPEC_IMPORT void   BeaconOutput(int type, char * data, int len);
+DECLSPEC_IMPORT void   BeaconPrintf(int type, char * fmt, ...);
+
+
+/* Token Functions */
+DECLSPEC_IMPORT BOOL   BeaconUseToken(HANDLE token);
+DECLSPEC_IMPORT void   BeaconRevertToken();
+DECLSPEC_IMPORT BOOL   BeaconIsAdmin();
+
+/* Spawn+Inject Functions */
+DECLSPEC_IMPORT void   BeaconGetSpawnTo(BOOL x86, char * buffer, int length);
+DECLSPEC_IMPORT void   BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len);
+DECLSPEC_IMPORT void   BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len);
+DECLSPEC_IMPORT BOOL   BeaconSpawnTemporaryProcess(BOOL x86, BOOL ignoreToken, STARTUPINFO * si, PROCESS_INFORMATION * pInfo);
+DECLSPEC_IMPORT void   BeaconCleanupProcess(PROCESS_INFORMATION * pInfo);
+
+/* Utility Functions */
+DECLSPEC_IMPORT BOOL   toWideChar(char * src, wchar_t * dst, int max);
diff --git a/cme/execute-pe/bofdefs.h b/cme/execute-pe/bofdefs.h
@@ -0,0 +1,276 @@
+#pragma once
+#include <windows.h>
+#include <stdio.h>
+#include <corecrt.h>
+#include <winternl.h>
+#include <stdlib.h>
+#include <io.h>
+#include <fcntl.h>
+#include <inttypes.h>
+#include <tlhelp32.h>
+
+//MSVCRT
+WINBASEAPI void __cdecl MSVCRT$free(void *_Memory);
+WINBASEAPI void *__cdecl MSVCRT$malloc(size_t size);
+WINBASEAPI size_t __cdecl MSVCRT$strlen(const char*);
+WINBASEAPI void *__cdecl MSVCRT$memcpy(void*, void*, size_t);
+WINBASEAPI void *__cdecl MSVCRT$calloc(size_t _NumOfElements, size_t _SizeOfElements);
+WINBASEAPI void __cdecl MSVCRT$memset(void *dest, int c, size_t count);
+WINBASEAPI size_t __cdecl MSVCRT$wcslen(const wchar_t *_Str);
+WINBASEAPI int __cdecl MSVCRT$_stricmp (LPCSTR lpString1, LPCSTR lpString2);
+WINBASEAPI int __cdecl MSVCRT$_dup (int _FileHandle);
+WINBASEAPI int __cdecl MSVCRT$_dup2(int _FileHandleSrc, int _FileHandleDst);
+WINBASEAPI int __cdecl MSVCRT$_open_osfhandle(intptr_t _OSFileHandle, int _Flags);
+WINBASEAPI int __cdecl MSVCRT$_fileno(FILE* _Stream);
+WINBASEAPI int __cdecl MSVCRT$setvbuf(FILE* _Stream, char* _Buffer, int _Mode, size_t _Size);
+WINBASEAPI int __cdecl MSVCRT$_close(int _FileHandle);
+WINBASEAPI int __cdecl MSVCRT$_flushall(void);
+WINBASEAPI int __cdecl MSVCRT$printf(const char* format);
+WINBASEAPI errno_t __cdecl MSVCRT$freopen_s (FILE** stream, const char* fileName, const char* mode, FILE* oldStream);
+WINBASEAPI FILE* __cdecl MSVCRT$__iob_func();
+WINBASEAPI int __cdecl MSVCRT$fclose(FILE* stream);
+WINBASEAPI char* __cdecl MSVCRT$_itoa(int value, char* str, int base);
+WINBASEAPI int __cdecl MSVCRT$_atoi(const char* str);
+WINBASEAPI int __cdecl MSVCRT$sprintf_s(char* buffer, size_t sizeOfBuffer, const char* format, ...);
+WINBASEAPI unsigned long long __cdecl MSVCRT$_strtoull(const char* strSource, char** endptr, int base);
+WINBASEAPI __int64 __cdecl MSVCRT$_strtoi64(const char* strSource, char** endptr, int base);
+WINBASEAPI void __cdecl MSVCRT$_cexit();
+WINBASEAPI int __cdecl MSVCRT$strcmp(const char* string1, const char* string2);
+WINBASEAPI int __cdecl MSVCRT$wcscmp(const wchar_t* string1, const wchar_t* string2);
+
+//K32
+WINBASEAPI int WINAPI KERNEL32$WideCharToMultiByte (UINT CodePage, DWORD dwFlags, LPCWCH lpWideCharStr, int cchWideChar, LPSTR lpMultiByteStr, int cbMultiByte, LPCCH lpDefaultChar, LPBOOL lpUsedDefaultChar);
+WINBASEAPI int WINAPI  KERNEL32$MultiByteToWideChar ( UINT CodePage, DWORD dwFlags, LPCCH lpMultiByteStr, int cbMultiByte, LPWSTR lpWideCharStr, int cchWideChar);
+WINBASEAPI DECLSPEC_NORETURN VOID WINAPI KERNEL32$ExitThread (DWORD dwExitCode);
+WINBASEAPI HLOCAL WINAPI KERNEL32$LocalFree(HLOCAL hMem);
+WINBASEAPI HMODULE WINAPI KERNEL32$LoadLibraryA (LPCSTR lpLibFileName);
+WINBASEAPI FARPROC WINAPI KERNEL32$GetProcAddress (HMODULE hModule, LPCSTR lpProcName);
+WINBASEAPI void * WINAPI KERNEL32$VirtualAlloc (LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect);
+WINBASEAPI int WINAPI KERNEL32$VirtualFree (LPVOID lpAddress, SIZE_T dwSize, DWORD dwFreeType);
+WINBASEAPI BOOL WINAPI KERNEL32$CreatePipe(PHANDLE hReadPipe, PHANDLE hWritePipe, LPSECURITY_ATTRIBUTES lpPipeAttributes, DWORD nSize);
+WINBASEAPI HANDLE WINAPI KERNEL32$CreateThread (LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId);
+WINBASEAPI DWORD WINAPI KERNEL32$WaitForSingleObject (HANDLE hHandle, DWORD dwMilliseconds);
+WINBASEAPI BOOL WINAPI KERNEL32$PeekNamedPipe(HANDLE hNamedPipe, LPVOID lpBuffer, DWORD nBufferSize, LPDWORD lpBytesRead, LPDWORD lpTotalBytesAvail, LPDWORD lpBytesLeftThisMessage);
+WINBASEAPI WINBOOL WINAPI KERNEL32$ReadFile (HANDLE hFile, LPVOID lpBuffer, DWORD nNumberOfBytesToRead, LPDWORD lpNumberOfBytesRead, LPOVERLAPPED lpOverlapped);
+WINBASEAPI DWORD WINAPI KERNEL32$GetLastError (VOID);
+WINBASEAPI BOOL WINAPI KERNEL32$CloseHandle(HANDLE hObject);
+WINBASEAPI HWND  WINAPI KERNEL32$GetConsoleWindow(void);
+WINBASEAPI BOOL WINAPI KERNEL32$AllocConsole(void);
+WINBASEAPI BOOL WINAPI KERNEL32$FreeConsole(void);
+WINBASEAPI HANDLE WINAPI KERNEL32$GetStdHandle(DWORD nStdHandle);
+WINBASEAPI HANDLE WINAPI KERNEL32$CreateFileA(LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplatefile);
+WINBASEAPI BOOL WINAPI KERNEL32$SetStdHandle(DWORD nStdHandle, HANDLE hHandle);
+WINBASEAPI void WINAPI KERNEL32$SetLastError(DWORD dwErrCode);
+WINBASEAPI BOOL WINAPI KERNEL32$FreeConsole(void);
+WINBASEAPI void WINAPI KERNEL32$Sleep(DWORD dwMilliseconds);
+WINBASEAPI DWORD WINAPI KERNEL32$GetProcessId(HANDLE Process);
+WINBASEAPI HWND WINAPI KERNEL32$GetConsoleWindow(void);
+WINBASEAPI HLOCAL WINAPI KERNEL32$LocalAlloc(UINT uFlags, SIZE_T uBytes); 
+WINBASEAPI DWORD WINAPI KERNEL32$GetCurrentProcessId();
+WINBASEAPI DWORD WINAPI KERNEL32$ProcessIdToSessionId(DWORD dwProcessID, DWORD* pSessionId);
+WINBASEAPI HANDLE WINAPI KERNEL32$CreateToolhelp32Snapshot(DWORD dwFlags, DWORD th32ProcessID);
+WINBASEAPI BOOL WINAPI KERNEL32$Process32First(HANDLE hSnapshot, LPPROCESSENTRY32 lppe);
+WINBASEAPI BOOL WINAPI KERNEL32$Process32Next(HANDLE hSnapshot, LPPROCESSENTRY32 lppe);
+WINBASEAPI HANDLE WINAPI KERNEL32$OpenProcess(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId);
+WINBASEAPI BOOL WINAPI KERNEL32$TerminateProcess(HANDLE hProcess, UINT uExitcode);
+WINBASEAPI DWORD WINAPI KERNEL32$GetProcessHeaps(DWORD NumberOfHeaps, PHANDLE ProcessHeaps);
+WINBASEAPI BOOL WINAPI KERNEL32$QueryPerformanceCounter(LARGE_INTEGER *lpPerformanceCount);
+WINBASEAPI BOOL WINAPI KERNEL32$QueryPerformanceFrequency(LARGE_INTEGER *lpFrequency);
+WINBASEAPI BOOL WINAPI KERNEL32$TerminateThread(HANDLE hthread, DWORD dwExitCode);
+WINBASEAPI BOOL WINAPI KERNEL32$FreeLibrary(HANDLE hLibModule);
+WINBASEAPI BOOL WINAPI KERNEL32$VirtualProtect(LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpfOldProtect);
+WINBASEAPI DWORD WINAPI KERNEL32$QueueUserAPC(PAPCFUNC pfnAPC, HANDLE hThread, ULONG_PTR dwData);
+WINBASEAPI DWORD WINAPI KERNEL32$SuspendThread(HANDLE hThread);
+WINBASEAPI BOOL WINAPI KERNEL32$SetThreadContext(HANDLE hThread, CONTEXT *lpContext);
+WINBASEAPI BOOL WINAPI KERNEL32$GetThreadContext(HANDLE hThread, LPCONTEXT lpContext);
+WINBASEAPI DWORD WINAPI KERNEL32$ResumeThread(HANDLE hThread);
+WINBASEAPI DWORD WINAPI KERNEL32$GetThreadId(HANDLE hThread);
+WINBASEAPI HANDLE WINAPI KERNEL32$OpenThread(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwThreadId);
+WINBASEAPI DWORD WINAPI KERNEL32$GetModuleFileNameA(HANDLE hModule, LPSTR lpFilename, DWORD nSize);
+WINBASEAPI BOOL WINAPI KERNEL32$GetFileSizeEx(HANDLE hFile, PLARGE_INTEGER lpFileSize);
+
+//PSAPI
+WINBASEAPI BOOL WINAPI PSAPI$EnumProcessModules(HANDLE HProcess, HMODULE *lphModule, DWORD cb, LPDWORD lpcbNeeded);
+
+//USER32
+WINBASEAPI BOOL WINAPI USER32$ShowWindow(HWND hWnd, int nCmdShow);
+WINBASEAPI int WINAPI USER32$MessageBoxA(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType);
+
+//SHELL32
+WINBASEAPI LPWSTR* WINAPI SHELL32$CommandLineToArgvW(LPCWSTR lpCMdLine, int* pNumArgs);
+
+//NTDLL
+WINBASEAPI NTSTATUS NTAPI NTDLL$NtQueryInformationProcess(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);
+
+//MSVCRT
+#define malloc                      MSVCRT$malloc
+#define free                        MSVCRT$free
+#define strlen                      MSVCRT$strlen
+#define memcpy                      MSVCRT$memcpy
+#define calloc                      MSVCRT$calloc
+#define memset                      MSVCRT$memset
+#define wcslen                      MSVCRT$wcslen
+#define _stricmp                    MSVCRT$_stricmp
+#define _dup                        MSVCRT$_dup
+#define _dup2                       MSVCRT$_dup2
+#define _open_osfhandle             MSVCRT$_open_osfhandle
+#define _fileno                     MSVCRT$_fileno
+#define setvbuf                     MSVCRT$setvbuf
+#define _close                      MSVCRT$_close
+#define _flushall                   MSVCRT$_flushall
+#define printf                      MSVCRT$printf
+#define freopen_s                   MSVCRT$freopen_s
+#define __iob_func                  MSVCRT$__iob_func
+#define fclose                      MSVCRT$fclose
+#define _itoa                       MSVCRT$_itoa
+#define _atoi                       MSVCRT$_atoi
+#define sprintf_s                   MSVCRT$sprintf_s
+#define _strtoull                   MSVCRT$_strtoull
+#define _strtoi64                   MSVCRT$_strtoi64
+#define _cexit 						MSVCRT$_cexit
+#define strcmp 						MSVCRT$strcmp
+#define wcscmp 						MSVCRT$wcscmp
+#define sscanf 						MSVCRT$sscanf
+
+
+//K32
+#define ReadProcessMemory           KERNEL32$ReadProcessMemory
+#define GetCurrentProcess           KERNEL32$GetCurrentProcess 
+#define WideCharToMultiByte         KERNEL32$WideCharToMultiByte
+#define MultiByteToWideChar         KERNEL32$MultiByteToWideChar
+#define ExitThread                  KERNEL32$ExitThread
+#define LocalFree                   KERNEL32$LocalFree
+#define LoadLibraryA                KERNEL32$LoadLibraryA
+#define GetProcAddress              KERNEL32$GetProcAddress
+#define VirtualAlloc                KERNEL32$VirtualAlloc
+#define VirtualFree                 KERNEL32$VirtualFree
+#define CreatePipe                  KERNEL32$CreatePipe
+#define CreateThread                KERNEL32$CreateThread
+#define WaitForSingleObject         KERNEL32$WaitForSingleObject
+#define PeekNamedPipe               KERNEL32$PeekNamedPipe
+#define ReadFile                    KERNEL32$ReadFile
+#define GetLastError                KERNEL32$GetLastError
+#define CloseHandle                 KERNEL32$CloseHandle
+#define GetConsoleWindow            KERNEL32$GetConsoleWindow
+#define AllocConsole                KERNEL32$AllocConsole
+#define FreeConsole                 KERNEL32$FreeConsole
+#define GetStdHandle                KERNEL32$GetStdHandle
+#define SetStdHandle                KERNEL32$SetStdHandle
+#define CreateFileA                 KERNEL32$CreateFileA
+#define SetLastError                KERNEL32$SetLastError
+#define FreeConsole                 KERNEL32$FreeConsole
+#define Sleep                       KERNEL32$Sleep
+#define GetProcessId                KERNEL32$GetProcessId
+#define GetConsoleWindow            KERNEL32$GetConsoleWindow
+#define LocalAlloc 					KERNEL32$LocalAlloc
+#define GetCurrentProcessId 		KERNEL32$GetCurrentProcessId
+#define ProcessIdToSessionId 		KERNEL32$ProcessIdToSessionId
+#define CreateToolhelp32Snapshot 	KERNEL32$CreateToolhelp32Snapshot
+#define Process32First				KERNEL32$Process32First
+#define Process32Next 				KERNEL32$Process32Next
+#define OpenProcess 				KERNEL32$OpenProcess
+#define TerminateProcess 			KERNEL32$TerminateProcess
+#define GetProcessHeaps 			KERNEL32$GetProcessHeaps
+#define QueryPerformanceCounter 	KERNEL32$QueryPerformanceCounter
+#define QueryPerformanceFrequency 	KERNEL32$QueryPerformanceFrequency
+#define TerminateThread 			KERNEL32$TerminateThread
+#define FreeLibrary 				KERNEL32$FreeLibrary
+#define VirtualProtect 				KERNEL32$VirtualProtect
+#define SuspendThread 				KERNEL32$SuspendThread
+#define GetThreadContext 			KERNEL32$GetThreadContext
+#define SetThreadContext 			KERNEL32$SetThreadContext
+#define ResumeThread 				KERNEL32$ResumeThread
+#define GetThreadId 				KERNEL32$GetThreadId
+#define OpenThread 					KERNEL32$OpenThread
+#define GetModuleFileNameA 			KERNEL32$GetModuleFileNameA
+#define GetFileSizeEx 				KERNEL32$GetFileSizeEx
+
+//PSAPI
+#define EnumProcessModules 			PSAPI$EnumProcessModules
+
+//USER32
+#define ShowWindow                  USER32$ShowWindow
+#define MessageBoxA 				USER32$MessageBoxA
+
+//SHELL32
+#define CommandLineToArgvW          SHELL32$CommandLineToArgvW
+
+//NTDLL
+#define NtQueryInformationProcess   NTDLL$NtQueryInformationProcess
+
+//Structures invovled in parsing PEB
+
+#define RTL_MAX_DRIVE_LETTERS 32
+
+typedef UNICODE_STRING* PUNICODE_STRING;
+
+typedef struct _RTL_DRIVE_LETTER_CURDIR {
+	USHORT                  Flags;
+	USHORT                  Length;
+	ULONG                   TimeStamp;
+	UNICODE_STRING          DosPath;
+} RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR;
+
+
+typedef struct _CURDIR
+{
+	UNICODE_STRING DosPath;
+	HANDLE Handle;
+} CURDIR, * PCURDIR;
+
+typedef struct _uRTL_USER_PROCESS_PARAMETERS
+{
+	ULONG MaximumLength;
+	ULONG Length;
+
+	ULONG Flags;
+	ULONG DebugFlags;
+
+	HANDLE ConsoleHandle;
+	ULONG ConsoleFlags;
+	HANDLE StandardInput;
+	HANDLE StandardOutput;
+	HANDLE StandardError;
+
+	CURDIR CurrentDirectory;
+	UNICODE_STRING DllPath;
+	UNICODE_STRING ImagePathName;
+	UNICODE_STRING CommandLine;
+	PVOID Environment;
+
+	ULONG StartingX;
+	ULONG StartingY;
+	ULONG CountX;
+	ULONG CountY;
+	ULONG CountCharsX;
+	ULONG CountCharsY;
+	ULONG FillAttribute;
+
+	ULONG WindowFlags;
+	ULONG ShowWindowFlags;
+	UNICODE_STRING WindowTitle;
+	UNICODE_STRING DesktopInfo;
+	UNICODE_STRING ShellInfo;
+	UNICODE_STRING RuntimeData;
+	RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS];
+
+	ULONG EnvironmentSize;
+	ULONG EnvironmentVersion;
+	PVOID PackageDependencyData; //8+
+	ULONG ProcessGroupId;
+	// ULONG LoaderThreads;
+} uRTL_USER_PROCESS_PARAMETERS, * uPRTL_USER_PROCESS_PARAMETERS;
+
+struct MemAddrs {
+	BYTE* pImageBase;
+	BYTE* pBackupImage;
+	DWORD AddressOfEntryPoint;
+	DWORD SizeOfImage;
+	FILE* fout;
+	FILE* ferr;
+	HANDLE hreadout;
+	HANDLE hwriteout;
+	int fo;
+	DWORD dwNumModules;
+	BOOL bCloseFHandles;
+};